Werner Lemberg pushed to branch master at FreeType / FreeType
Commits:
-
57c4252a
by Werner Lemberg at 2024-01-02T17:55:33+01:00
1 changed file:
Changes:
... | ... | @@ -1269,6 +1269,7 @@ |
1269 | 1269 | static FT_Bool
|
1270 | 1270 | find_base_glyph_v1_record( FT_Byte * base_glyph_begin,
|
1271 | 1271 | FT_UInt num_base_glyph,
|
1272 | + FT_Byte * end_colr,
|
|
1272 | 1273 | FT_UInt glyph_id,
|
1273 | 1274 | BaseGlyphV1Record *record )
|
1274 | 1275 | {
|
... | ... | @@ -1287,6 +1288,14 @@ |
1287 | 1288 | */
|
1288 | 1289 | FT_Byte *p = base_glyph_begin + 4 + mid * BASE_GLYPH_PAINT_RECORD_SIZE;
|
1289 | 1290 | |
1291 | + |
|
1292 | + /* We need to be able to read 2 bytes (FT_NEXT_USHORT) for the glyph */
|
|
1293 | + /* ID, then 4 bytes (FT_NEXT_ULONG) for the paint offset. If that's */
|
|
1294 | + /* not available before the end of the table, something's wrong with */
|
|
1295 | + /* the font and we can't find a COLRv1 glyph. */
|
|
1296 | + if ( p > end_colr - 2 - 4 )
|
|
1297 | + return 0;
|
|
1298 | + |
|
1290 | 1299 | FT_UShort gid = FT_NEXT_USHORT( p );
|
1291 | 1300 | |
1292 | 1301 | |
... | ... | @@ -1328,6 +1337,7 @@ |
1328 | 1337 | |
1329 | 1338 | if ( !find_base_glyph_v1_record( colr->base_glyphs_v1,
|
1330 | 1339 | colr->num_base_glyphs_v1,
|
1340 | + (FT_Byte*)colr->table + colr->table_size,
|
|
1331 | 1341 | base_glyph,
|
1332 | 1342 | &base_glyph_v1_record ) )
|
1333 | 1343 | return 0;
|